3C.1 Overview of Criminal Offenses


3C.1 Overview of Criminal Offenses

Although technology creates new challenges that require new legislation, in some instances existing laws may apply. For instance, in AG's Reference No. 5 of 1980 ([1980] 3 All E.R. 88), the court was asked to decide whether a person who provides screen images derived from a videotape "publishes an obscene article" contrary to section 2 of the Obscene Publications Act, 1959. The defense counsel submitted that these words should not be applied to a piece of electronic equipment that Parliament could not have conceived of when the law was enacted. However, the court ensured that the new technology came within the meaning of the Act, holding at p. 92 that:

if the clear words of the statute are sufficiently wide to cover the kind of electronic device with which we are concerned in this case the fact that that particular form of electronic device was not in the contemplation of Parliament in 1959 is an immaterial consideration.

This same approach was endorsed by the Court of Appeal in R. v. Fellows, Arnold ([1997] 2 All E.R. 548), a case concerning the distribution of indecent photographs of children over the Internet where defense counsel argued that an image consisting of computer data was not a photograph.

In 2001, realizing that certain computer-related offenses required special consideration, 26 member countries convened in Budapest and signed the Council of Europe Convention on Cybercrime to create "a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation" (paragraph 4 of the preamble to the convention). Several other countries subsequently signed the Convention. Although the COE Convention on Cybercrime represents an aspirational policy document, a country that ratifies the Convention commits to putting in place a legislative framework that deals with cybercrime according to Convention requirements. Within this commitment, each country is given discretion in relation to the full scope, say, of a criminal offense, by defining its particular elements of dishonest intent or requiring that serious harm be done before an offense is deemed to have been committed.

Despite a clear need for consistent legislation in Europe to facilitate cross-border investigations, there are major differences between the legal systems and cultures in European countries, making legislative consistency difficult. The COE Convention on Cybercrime has already been faulted by some for not taking due account of privacy rights. Also, there are discrepancies between the Convention and existing laws in some European countries that will take time to resolve. To appreciate these differences, it is instructive to compare categories of offenses set out by the Convention with related offenses in English law.

3C.1.1 Fraud and Forgery

Fraud and forgery are traditional offenses that may be facilitated by the use of technology. The Convention describes computer-related fraud and forgery offenses as follows.

  • computer-related forgery, that is, the intentional input, alteration, deletion or suppression of computer data resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data are directly readable and intelligible (Article 7); and

  • computer-related fraud, the intentional causing of a loss of property to another by any input, alteration, deletion or suppression of computer data or any interference with the functioning of a computer system with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another (Article 8).

Existing legislation is, in most cases, fit to deal with their commission. An example of the need for new legislation to combat computer-related crime is the situation in England where, for a fraud to be committed, it must be shown that a person was deceived (Section 15 of the Theft Act 1968). Where the process is automated, the element of deception of a person may be missing, and thus, no offense proved. It may be necessary to widen the meaning of deception to include deception of machines, or to introduce new legislation directed at this computer-related mischief.

Section 9 of the Irish Criminal Justice (Theft and Fraud Offences) Act, 2001, tackles computer-related fraud and forgery by creating the offense of unlawful use of a computer in the following terms:

A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence.

Another area of growing concern is identity fraud - effectively stealing an individual's virtual identity for financial gain. In an effort to address this and other computer-related fraud and forgery, Section 25 of the Irish Electronic Commerce Act, 2000 (an Act that provides for the legal recognition of electronic contracts, electronic writing, electronic signatures and original information in electronic form in relation to commercial and non-commercial transactions, the admissibility of evidence in relation to such matters, the accreditation, supervision and liability of certification service providers and the registration of domain names) prohibits fraud and misuse of electronic signatures and signature creation devices by creating offenses in the following terms:

25.—A person or public body who or which—

  1. knowingly accesses, copies or otherwise obtains possession of, or recreates, the signature creation device of another person or a public body, without the authorisation of that other person or public body, for the purpose of creating or allowing, or causing another person or public body to create, an unauthorised electronic signature using the signature creation device,

  2. knowingly alters, discloses or uses the signature creation device of another person or a public body, without the authorisation of that other person or public body or in excess of lawful authorisation, for the purpose of creating or allowing, or causing another person or public body to create, an unauthorised electronic signature using the signature creation device.

  3. Knowingly creates, publishes, alters or otherwise uses a certificate or an electronic signature for a fraudulent or other unlawful purpose,

  4. Knowingly misrepresents the person's or public body's identity or authorisation in requesting or accepting a certificate or in requesting suspension or revocation of a certificate,

  5. Knowingly accesses, alters, discloses or uses the signature creation device of a certification service provider used to issue certificates, without the authorisation of the certification service provider or in excess of lawful authorisation, for the purpose of creating, or allowing or causing another person or a public body to create, an unauthorized electronic signature using the signature creation device, or

  6. Knowingly publishes a certificate, or otherwise knowingly makes it available to anyone likely to rely on the certificate or on an electronic signature that is verifiable with reference to data such as codes, passwords, algorithms, public cryptographic keys or other data which are used for the purposes of verifying an electronic signature, listed in the certificate, if the person or public body knows that -

    1. the certification service provider listed in the certificate has not issued it,

    2. the subscriber listed in the certificate has not accepted it, or

    3. the certificate has been revoked or suspended, unless its publication is for the purpose of verifying an electronic signature created before such revocation or suspension, or giving notice of revocation or suspension, is guilty of an offence.

These kinds of offenses are likely to arise more frequently with the increased use of digital certificates and other digital identification mechanisms.

3C.1.2 Child Pornography

Offenses relating to the possession and distribution of child pornography are probably the most litigated and certainly the most notorious of cyber offenses. The Convention addresses this complex area in the following suggestions.

  1. Each party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

    1. producing child pornography for the purpose of its distribution through a computer system;

    2. offering or making available child pornography through a computer system;

    3. distributing or transmitting child pornography through a computer system;

    4. procuring child pornography through a computer system for oneself or for another;

    5. possessing child pornography in a computer system or on a computer-data storage medium.

  2. For the purpose of paragraph 1 above "child pornography" shall include pornographic material that visually depicts:

    1. a minor engaged in sexually explicit conduct;

    2. a person appearing to be a minor engaged in sexually explicit conduct;

    3. realistic images representing a minor engaged in sexually explicit conduct.

  3. For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A party may, however, require a lower age-limit, which shall be not less than 16 years.

  4. Each party may reserve the right not to apply, in whole or in part, paragraph 1(d) and 1(e), and 2(b) and 2(c).

The associated law in England predates the Convention and did not specifically mention computers. Section 1(1) of the Protection of Children Act, 1978 as amended by the Criminal Justice and Public Order Act, 1994 makes it an offense:

  1. to take, or permit to be taken, an indecent photograph of a child (a person under the age of 16); or

  2. to distribute or show such indecent photographs or pseudo-photographs; or

  3. to have in his possession such indecent photographs or pseudo-photographs with a view to their being distributed or shown by himself or others ...

By virtue of the amendment made by the 1994 Act, the term photograph includes data stored on a computer disk or by other electronic means which are capable of conversion into a photograph, including graphic images (Section 7.4(b)). The test, therefore, is that if data can be converted into an indecent image it will be deemed a photograph for the purposes of the section. In addition, Section 160 of the English Criminal Justice Act, 1988 provides inter alia that:

  1. It is an offence for a person to have any indecent photograph or pseudo-photograph of a child in his possession.

  2. Where a person is charged with an offence under subsection (1) it shall be a defence for him to prove -

    1. that he had a legitimate reason for having the photograph or pseudo-photograph in his possession; or

    2. that he had not himself seen the photograph or pseudo-photograph and did not know nor had any cause to suspect, it to be indecent; or

    3. that the photograph or pseudo-photograph was sent to him without any prior request made by him or on his behalf and that he did not keep it for any unreasonable time.

The Court of Appeal case of R. v. Fellows, Arnold ([1997] 2 All E.R. 548) is a leading English case on the interpretation of Section 1 of the Protection of Children Act, 1978, and specifically on the question of what might constitute the "distributing" or "showing" of offending material.

CASE EXAMPLE (R. v. FELLOWS 1997):

start example

Alban Fellows and Stephen Arnold were arrested after a large amount of child pornography was found on an external hard drive attached to a computer belonging to Fellows's employer, Birmingham University. Fellows and Arnold were convicted of distributing the child pornography in this archive to others on the Internet. In appeal, defense counsel submitted to the court, inter alia, that the data were not "distributed or shown" merely by reason of its being made available for downloading by other computer users, since the recipient did not view the material held in the archive file, but rather a reproduction of that data which were then held in the recipient's computer after transmission had taken place. The Court of Appeal rejected this argument, holding at p. 558 that:

the fact that the recipient obtains an exact reproduction of the photograph contained in the archive in digital form does not mean, in our judgment, that the (copy) photographs in the archive are not held in the first appellant's possession with a view to those same photographs being shown to others. The same data are transmitted to the recipient so that he shall see the same visual reproduction as is available to the sender whenever he has access to the archive himself.

Fellows was sentenced to three years in prison and Arnold to six months.

end example

In another English case, R. v. Bowden ([2000] 1 Crim.App.R. 438), the Court of Appeal considered the question of whether the downloading and/or printing out of computer data of indecent images of children from the Internet was capable of amounting to the offense of making child pornography.

CASE EXAMPLE (R. v. BOWDEN 2000):

start example

The facts of the case as set out in the judgment of Otton L.J. are that the defendant took his computer hard drive in for repair. While examining the computer, the repairer found indecent material on the hard drive. As a result of a subsequent investigation, police seized a computer and equipment including hard disk and floppy disks from the defendant. They examined the disks, which contained indecent images of young boys. The defendant had downloaded the photographs from the Internet, and either printed them out himself, or stored them on his computer disks. It was not contested that all the photographs were indecent and involved children under sixteen years. When arrested and interviewed, the defendant accepted that he had obtained the indecent material from the Internet and downloaded it onto his hard disk in his computer for his own personal use. He did not know it was illegal to do this. He admitted that he had printed out photographs from the images he had downloaded.

At first instance, defense counsel submitted that the defendant was not guilty of "making" photographs contrary to the section. He submitted that the defendant was in possession of them but nothing more. The Court of Appeal held that despite the fact that he made the photographs and the pseudo-photographs for his "own use", the defendant's conduct was clearly caught by the Act, stating at p. 444:

Section 1 is clear and unambiguous in its true construction. Quite simply, it renders unlawful the making of a photograph or a pseudo-photograph ... the words "to make" must be given their natural and ordinary meaning ... As a matter of construction such a meaning applies not only to original photographs but, by virtue of section 7, also to negatives, copies of photographs and data stored on computer disk". The court adopted the prosecution's submissions, reported at pp. 444 to 445 of the judgment that: "a person who either downloads images onto a disk or who prints them off is making them. The Act is not only concerned with the original creation of images, but also their proliferation. Photographs or pseudo-photographs found on the Internet may have originated from outside the United Kingdom; to download or print within the jurisdiction is to create new material which hitherto may not have existed therein.

end example

By equating downloading a file from the Internet with making it, the court concluded that Bowden had violated Section 1(1) (a) of the Protection of Children Act 1978.

To avoid any ambiguity, the Convention independently addresses producing and procuring child pornography using a computer. Also, in its definition of child pornography, the Convention includes images rendered using a computer that appear to contain minors but do not depict actual children. It should also be noted that in addition to these direct offenses, the convention recommends offenses concerning ancillary liability, that is, attempting, aiding and abetting.

3C.1.3 Computer Misuse

The Convention introduces the following five offenses against the confidentiality, integrity and availability of computer data and systems.

  1. illegal access, that is, intentional access to the whole or any part of a computer system without right (Article 2);

  2. illegal interception, being the intentional interception without right made by technical means of non-public transmissions of computer data to, from or within a computer system (Article 3);

  3. data interference, that is, the intentional damaging, deletion, deterioration, alteration or suppression of computer data without right (Article 4);

  4. system interference, being intentionally seriously hindering without right the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data (Article 5); and

  5. misuse of devices, that is, the production, sale, procurement for use, import, distribution or otherwise making available of a device or password or access code with the intent that it be used for the purpose of committing any of the offenses established in articles 2-5 (Article 6).

In 1990, England became the first European country to enact a law to address computer crime specifically. The Computer Misuse Act introduced three new offenses: unauthorized access to a computer; unauthorized access with intent to commit or facilitate the commission of further offenses; and unauthorized modification of computer material (ss. 1, 2, and 3).

3C.1.3.1 Unauthorized Access

The first offense under the Computer Misuse Act is your basic computer intrusion offense, which one commentator compares with breaking and entering (Gringas 2002, p. 285). Section 1(1) provides that:

A person is guilty of an offense if -

  1. he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

  2. the access he intends to secure is unauthorised; and

  3. he knows at the time when he causes the computer to perform the function that that is the case.

So, the elements to be proved are that the perpetrator intended to break into the computer in the knowledge that he/she did not have authority so to do. The actus reus (the act or omissions that comprise the physical elements of a crime as required by law) is the action of breaking in (causing a computer to perform any function); the mens rea (literally: guilty mind) is the dishonest intent with knowledge of no authority. The definition of unauthorized access in the Act is quite literal and, as a result, is limiting.

CASE EXAMPLE (D.P.P. v. BIGNELL 1998):

start example

In this case, the court was concerned with a situation where police officers secured access to the police national computer for a non-police but rather personal use. The question was whether this amounted to commission of an offense contrary to section 1 of the 1990 Act. The court held that the defendants had authority to access the police computer even though they did not do so for an authorized purpose. Therefore, they did not commit an offense contrary to section 1 of the Act. The court noted in its judgment that the 1990 Act was enacted to criminalize the act of breaking into computer systems. Thus, once the access was authorized, the Act did not look at the purpose for which the computer was accessed.

end example

In this case, the defendant used the police computer in relation to two motor vehicles, the property of the defendant's former wife and her new partner. While this may have been a reprehensible infringement on their privacy, it did not constitute the crime of unauthorized access. Furthermore, the defendant narrowly avoided another crime when the innocent parties denied that he stalked them. The case, nonetheless, gave rise to the question of whether the offense of unauthorized access might be extended to a situation of improper or illegal use by an authorized user. This question was considered by the House of Lords in the case of R. v. Bow Street Magistrate (ex parte US Government, Allison [1999] 3 W.L.R. 620) where they refined interpretation of the notion of authorized or unauthorized access.

CASE EXAMPLE (R. v. BOW STREET MAGISTRATE - ALLISON 1997):

start example

The defendant was accused of conspiring with legitimate employees of American Express to secure access to the American Express computer system with intent to commit theft and fraud, and to cause a modification of the contents of the American Express computer system. The Court of Appeal held that access was unauthorized under the Computer Misuse Act if

(a) the access to the particular data in question was intentional; (b) the access in question was unauthorized by a person entitled to authorize access to that particular data; (c) knowing the access to that particular data was unauthorized. The court explained the decision as follows:

the evidence concerning [the American Express employee]'s authority to access the material data showed that she did not have authority to access the data she used for this purpose. At no time did she have any blanket authorisation to access any account or file not specifically assigned to her to work on. Any access by her to an account which she was not authorised to be working on would be considered a breach of company policy and ethics and would be considered an unauthorised access by the company. The computer records showed that she accessed 189 accounts that did not fall within the scope of her duties. Her accessing of these accounts was unauthorised. ... The proposed charges against Mr. Allison therefore involved his alleged conspiracy with [the employee] for her to secure unauthorised access to data on the American Express computer with the intent to commit the further offences of forging cards and stealing from that company. It is [the employee]'s alleged lack of authority which is an essential element in the offences charged.

end example

The House of Lords noted that the court at first instance had felt constrained by the strict definition of unauthorized access in the Act and the interpretation put upon them by the court in D.P.P. v. Bignell. The House of Lords went on to assert that the definition of unauthorized access in section 17 of the Act was open to interpretation, clarifying the offense as follows.

Section 17 is an interpretation section. Subsection (2) defines what is meant by access and securing access to any programme or data. It lists four ways in which this may occur or be achieved. Its purpose is clearly to give a specific meaning to the phrase "to secure access". Subsection (5) is to be read with subsection (2). It deals with the relationship between the widened definition of securing access and the scope of the authority which the relevant person may hold. That is why the subsection refers to "access of any kind" and "access of the kind in question". Authority to view data may not extend to authority to copy or alter that data. The refinement of the concept of access requires a refinement of the concept of authorisation. The authorisation must be authority to secure access of the kind in question. As part of this refinement, the subsection lays down two cumulative requirements of lack of authority. The first is the requirement that the relevant person be not the person entitled to control the relevant kind of access. The word "control" in this context clearly means authorise and forbid. If the relevant person is so entitled, then it would be unrealistic to treat his access as being unauthorised. The second is that the relevant person does not have the consent to secure the relevant kind of access from a person entitled to control, i.e., authorise, that access.

Subsection (5) therefore has a plain meaning subsidiary to the other provisions of the Act. It simply identifies the two ways in which authority may be acquired - by being oneself the person entitled to authorise and by being a person who has been authorised by a person entitled to authorise. It also makes clear that the authority must relate not simply to the data or programme but also to the actual kind of access secured. Similarly, it is plain that it is not using the word "control" in a physical sense of the ability to operate or manipulate the computer and that it is not derogating from the requirement that for access to be authorised it must be authorised to the relevant data or relevant programme or part of a programme. It does not introduce any concept that authority to access one piece of data should be treated as authority to access other pieces of data "of the same kind" notwithstanding that the relevant person did not in fact have authority to access that piece of data. Section 1 refers to the intent to secure unauthorised access to any programme or data. These plain words leave no room for any suggestion that the relevant person may say: "yes, I know that I was not authorised to access that data but I was authorised to access other data of the same kind." (pp. 626–627)

It is not clear how the COE Convention of Cybercrime defines "without right" and the same issue may arise. This situation is explicitly addressed by the US Computer Fraud and Abuse Act using the language "accessed a computer without authorization or exceeding authorized access".

3C.1.3.2 Facilitating the Commission of Other Offenses

The second of the Computer Misuse offenses has the additional element of an intent to commit or facilitate the commission of further offenses, such as the theft of or damage to data or the system in the previous case example (R. v. Bow Street Magistrate - Allison). It should be noted that a perpetrator may be guilty of this offense even where he/she has not in fact committed a further offense or indeed where the intended further offense would have been impossible to commit. It is the intention that offends. Section 2(3) of the Act states that, "It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access or on any future occasion."

For instance, the case of R. v. Governor of Brixton Prison (ex parte Levin) ([1997] 3 All E.R. 289), would come under section 2(3), if committed in England. In that case, Levin used a computer terminal in Russia to gain unauthorized access to the computerized fund transfer service of Citibank in the United States and made fraudulent transfers of funds from the bank to accounts that he or his associates controlled.

The COE Convention does not clearly address this offense.

3C.1.3.3 Unauthorized Modification of Computer Material

The third Computer Misuse offense involves unauthorized modification of the contents of any computer. The offender must intend to cause the modification and the knowledge that such modification is unauthorized as stated in Section 3(2):

... the requisite intent is an intent to cause modification of the contents of any computer and by so doing:

  1. to impair the operation of any computer;

  2. to prevent or hinder access to any program or data held in any computer; or

  3. to impair the operation of any such program or the reliability of any such data.

The kinds of activities envisaged in this offense include denial of service attack and the spreading of malicious code such as viruses or worms. The COE Convention describes this type of offense in two sections - data interference and system interference - using more general terms like "deterioration, alteration or suppression of computer data". These terms may be too general for legislative purposes. Despite being a decade older than the Convention, the Computer Misuse Act addresses the same offenses in a more concise and clear manner.

It should be noted that the possession or production of code that could be used to cause modification is not an offense. Nevertheless, its discovery on a computer may be useful in investigating cases of unauthorized modification. To prove this offense, it is necessary to show that modification occurred as a result of the acts of the defendant.

CASE EXAMPLE (R. v. WHITELEY 1991):

start example

This case occurred prior to the Computer Misuse Act and was prosecuted under the Criminal Damage Act, 1971. The defendant had broken into the Joint Academic Network system, a network of connected ICL mainframe computers at universities, polytechnics and science and engineering research institutions. The defendant deleted and added files, put on messages, made sets of his own users and operated them for his own purposes, changed the passwords of authorized users and deleted files that would have recorded his activity. He successfully attained the status of systems manager of particular computers, enabling him to act at will without identification or authority.

Under the Criminal Damage Act, the defendant was charged with causing criminal damage to the computers by bringing about temporary impairment of usefulness of them by causing them to be shut down for periods of time or preventing them from operating properly and, distinctly, with causing criminal damage to the disks by way of alteration to the state of the magnetic particles on them so as to delete and add files - the disks and the magnetic particles on them containing the information being one entity and capable of being damaged. The jury acquitted the defendant of the first charge and convicted on the second. The defense appealed the conviction to the Court of Appeal on the basis that a distinction had to be made between the disk itself and the intangible information held upon it which, it was contended, was not capable of damage as defined in law (at that time).

The Court of Appeal held that what the Criminal Damage Act required to be proved was that tangible property had been damaged, not necessarily that the damage itself should be tangible. There could be no doubt that the magnetic particles on the metal disks were a part of the disks and if the defendant was proved to have intentionally and without lawful excuse altered the particles in such a way as to impair the value or usefulness of the disk, it would be damage within the meaning of the Act. The fact that the damage could only be detected by operating the computer did not make the damage any less within the ambit of the Act.

end example




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net